14/07: We plan write a blog article on protecting your MySQL Database

Basically, if you write a form and then write a PHP Script to place the data entered into that form into a MySQL Database. You may be laying yourself open to a so called injection attack, or more correctly an SQL Injection attack!. What is an injection attack you ask.???? Well, it is where somebody deliberately places text into one of your fields in you Form that is designed to run some SQL Query. This query tries to find out about your database, what tables are in it, what are the tables called, is there any data that can be selected from the table and then displayed on the screen?! You get the idear... if an attack is successful, it may be able to extract data from your own database on you database server and read it. It may also be able to read it and store it and then perhaps destroy you tables partially or completely! If you know enough about writing an SQL Query, and you are able to get the server on the web site you are attacking to run that query you can cause absolute havack, and really mess stuff up... But thats why we are going to write about steps you can take to make this far more difficult..... Ultimately these steps make writing you PHP Script both longer and harder and more involved, but a little bit of caution is justified and worthwhile.

Here are some simple things you should do.

1. A new installation of MySQL comes with an administrator that has no password and two guest accounts, make sure you give the administrator a password that is fairly long and hard to crack, like more than 6 characters, and not made of guessable words., and disable the guest accounts. -- we will put more details about this (plus how to do it) in further blogs on this blog shortly.

2. Make sure that you investigate the PHP Functions that remove characters the are required to write an SQL Query. There are a few of these functions, and you can apply them to the text entered by your user before you allow the text to be placed inside the database table.

3. Make sure that the PHP script that you write that is designed to process you Web Form has very limited rights to the database it connects to. In other words, do not on a live Web server connect to the MySQL server using the root or so called supper uesr..??!!! Use another user that has restricted rights to that Database... Expect more on this in further blog entries...

4. You can if you wish to make your tables in you Database have unusual names, So instead of having a table called Users and a table called Customers, you could have a table called Marbles, or a table called Gee_Gees. sounds just plain mad.... well may be not, because some one attacking your MySQL Database has got to guess the table name in order to select records from it or to destroy it haven't they...
.?!

Expect more on this specific subject shortly and come back to "The Computer Fixer Blog:" New and launched July 2007.. another great idea from Chephrenrepairs.com

Prevention of an SQL Injection attack is in itself a fairly small subject, but it requires a number of steps and specific knowledge to do well.., and you need specific knowledge of PHP to carry it off.
We Recommend Highly Wellho.net otherwise known as Well House Consultants Ltd, based in Wiltshire for PHP Training and of course their forum that they run on their web site, see link here to Well House Consultants LTD http://www.wellho.net

Comments

Yes there are lots of PHP Functions that can help to thwort a MySQL injection attack. One of them is;
$fieldname = mysql_real_escape_string($_POST['fieldname']);

This function works and escapes a number of characters that a person injecting sql would use. it doesn't work on every single version of PHP. I think you need PHP Version 4.3.0 or higher for this function to work.
I use fieldname in this example but in a real php script you would of course use the actual field names you have in your MySQL Table!!